01
Mar 18

Financial Cyber Threat Sharing Group Phished

The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, said today that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members.

The fallout from the back-to-back phishing attacks appears to have been limited and contained, as many FS-ISAC members who received the phishing attack quickly detected and reported it as suspicious. But the incident is a good reminder to be on your guard, remember that anyone can get phished, and that most phishing attacks succeed by abusing the sense of trust already established between the sender and recipient.

The confidential alert FS-ISAC sent to members about a successful phishing attack that spawned phishing emails coming from the FS-ISAC.

Notice of the phishing incident came in an alert FS-ISAC shared with its members today and obtained by KrebsOnSecurity. It describes an incident on Feb. 28 in which an FS-ISAC employee “clicked on a phishing email, compromising that employee’s login credentials. Using the credentials, a threat actor created an email with a PDF that had a link to a credential harvesting site and was then sent from the employee’s email account to select members, affiliates and employees.”

The alert said while FS-ISAC was already planning and implementing a multi-factor authentication (MFA) solution across all of its email platforms, “unfortunately, this incident happened to an employee that was not yet set up for MFA. We are accelerating our MFA solution across all FS-ISAC assets.”

The FS-ISAC also said it upgraded its Office 365 email version to provide “additional visibility and security.”

In an interview with KrebsOnSecurity, FS-ISAC President and CEO Bill Nelson said his organization has grown significantly in new staff over the past few years to more than 75 people now, including Greg Temm, the FS-ISAC’s chief information risk officer.

“To say I’m disappointed this got through is an understatement,” Nelson said. “We need to accelerate MFA extremely quickly for all of our assets.”

Nelson observed that “The positive messaging out of this I guess is anyone can become victimized by this.” But according to both Nelson and Temm, the phishing attack that tricked the FS-ISAC employee into giving away email credentials does not appear to have been targeted — nor was it particularly sophisticated.

“I would classify this as a typical, routine, non-targeted account harvesting and phishing,” Temm said. “It did not affect our member portal, or where our data is. That’s 100 percent multifactor. In this case it happened to be an asset that did not have multifactor.”

In this incident, it didn’t take a sophisticated actor to gain privileged access to an FS-ISAC employee’s inbox. But attacks like these raise the question: How successful might such a phishing attack be if it were only slightly more professional and/or organized?

Nelson said his staff members all participate in regular security awareness training and testing, but that there is always room to fill security gaps and move the needle on how many people click when they shouldn’t with email.

“The data our members share with us is fully protected,” he said. “We have a plan working with our board of directors to make sure we have added security going forward,” Nelson said. “But clearly, recognizing where some of these softer targets are is something every company needs to take a look at.”

Tags: , , ,

38 comments

  1. Kudos to the ISAC people for not making a claim that it was a sophisticated nation-state attack.

    • It’s also pretty responsible of them to notify their members the *same day* the incident took place.

      • As an FS-ISAC member, that is how they roll. Top notch organization in spite of this event.

        • Before we give FS-ISAC too much credit for that lightning quick notification, they kinda had to. The phish went to FS-ISACs CyberIntel subscribers. All those cyber and malware experts knew exactly what they received.

          • Let’s not try to detract from any person or company that does the right thing in a world where this is the exception and not the rule.

            • Yes, they did well to catch it early and undertake remediation but any security scheme that relies on ordinary mortals to do the right thing all the time is bound to fail.

            • No, let’s criticize when criticism is due. This is a cybersecurity organization that got compromised by an admittedly non-targeted, unsophisticated attack. That’s shameful, and there’s no need to set the bar so low that we give them credit not covering it up. It’s okay to expect a bit more out of cybersecurity firms.

              • Unfortunately, even the cybersecurity business is staffed by humans. Until we stop having to cram 14 hours worth of work into every 8 hour day, this is going to happen even to some of the best.

              • I wonder which ‘beacon of perfect security’ company you work at. It’s easy for people in infosec to judge, but humans will always be a key part of an organization’s security posture, and humans will make mistakes regardless of how much training they’ve received.

                I applaud FS-ISAC for being open about this and responding quickly and appropriately.

  2. They must have noticed how far lies or understatements get companies when dealing with situations like this.

    They also get to acknowledge an attack that ended up relatively harmless, which makes them look good.

    Finally, they seem to be viewing the event as a none-too-friendly reminder that anyone can be hit by these attacks, instead of trying to use it as a confidence booster.

    This is a well-handled PR/Security news piece for the company.

  3. It can happen to the best of us – these emails can be so carefully crafted, they can fool you in a heart beat. I was suckered once, but fortunately my password utility saved me! I felt pretty stupid, but there really wasn’t much I would have been suspect on, because it got though the spam filter like a breeze. There were no active images on the page, so it look exactly like a legitimate PayPal communication. The subject matter was mundane and typical of an official e-mail. My real name was on it too – they can get that off many of the criminal dump sites. I haven’t see a good one again in years though – the Microsoft Outlook webmail site is just too good at blocking suspicious emails, so I haven’t reported one in three years now. Needless to say – I only follow emails on my honey pot lab – I never follow an email link other than that.

    • Let’s not give them too much credit. The attempt was so juvenile, it makes you wonder what their training program looks like and whether they run their own internal test phishing campaigns. Considering who their members are, I would think they wouldn’t be susceptible to these amateurish attempts.

      • So you’ve never been caught off guard, never made a mistake? Never clicked a link by accident? Never had an off day?

        We’re all human, no matter how good you are, we all make mistakes. That’s why phishing/social engineering continues to work – the human element.

      • That’s the problem with compliance and training. Unless a new employee has to go through it all before they’re put to work there’s a gap. Even a monthly phish exercise can leave a gap of a month that can get exploited.

        And for everyone who promotes a specific technology, I’ve seen every one of them fail at one time or another. No technology and no person is perfect. The best they can do is reduce the chance of an incident, not eliminate them.

  4. I’m an FS-ISAC member and I didn’t get hit with the phish message. It was only sent to “select” members and I wonder how widespread the attack was.

    Stop, look, think! It’s not just a slogan…

    • Interesting, I got it and immediately reported it to our InfoSec. Didn’t get the notice it was a phish tbough.

  5. Brian et.al.,

    Is the “…barracuda” link for just those who have businesses and servers?

    We have clicked on the “https://krebsonsecurity.com/barracuda/” link, and immediately got connected to the
    “http://content.barracuda.com/l/10742/2018-01-25/6fwmtt” link and had to insert our first and last name, company and email.

    How should we proceed? This senior is puzzled.

  6. I very much dislike being asked to click on banking/financial links embedded into an email. Yet the banks and financial companies frequently send out messages with embedded links.

    This is how I translate the message: “Please click on this strange email link that you can’t be certain even came from our company because email headers are so very easy to forge and look-alike domain names are so very easy to get.”

    What’s mostly frustrating is that the same companies have a “Secure Message” area on their websites. A bank/financial email should never read anything but: “You have a secure message, go login and read it”.

    • vb: Call your bank and ask them to confirm it every single time you get one. Tell friends who bank there to do the same thing. Let the CSR know why you thought it was suspicious and that you’d prefer they use the secure message feature. Eventually, they will figure out that their messages are costing them money.

      Or, switch banks

  7. Pathetic this happened to them. For an organization that deals day in day out with threats they should have been FAR more prepared. The CEO’s excuse of “we’ve grown” is total nonsense.

  8. Since the FS-ISAC was heavily involved with the formation of the Legal Services ISAO (LS-ISAO), do we know if any law firms received the same or similar phishing email as a result of this incident?

  9. Kudos to FS-ISAC for not giving this attack a hype name, like Heartbleed, Meltdown, …

  10. Yeah, I’ll just repeat that this can happen to anyone.

  11. You will be attacked, and it’s likely some of those attacks will be successful. It’s how you react afterwards that will set you apart. How many companies have REALLY tested and practiced their e-2-e incident response process?

  12. It wouldn’t completely solve the problem, but having the option to remove the ability to click on links in email messages would go along way to prevent many incidents like this. Copy and paste doesn’t take that much time and takes more awareness than just clicking on something.

    And having a browser setting that you could turn on that would inform you that you are about to visit a domain that you have never visited before, “Are you sure you want to do this?” would also help some users to avoid being tricked or confused.

    Why do we continue to make things so easy for bad actors when we have so many simple solutions to keep us safe?

    • Andrew Rossetti

      KnowBe4 has a tool that does exactly this, called SecondChance. It also logs each action and url clicked by user and device. Pretty handy.

    • “It wouldn’t completely solve the problem, but having the option to remove the ability to click on links in email messages would go along way to prevent many incidents like this.”

      What makes you think so?

      May I respectfully suggest that you go back and re-read the company’s description of what happened here? If you read it carefully, you may note that there is a HUGE GAPING HOLE in the description of the original compromise.
      The company says only that some dumass employee “clicked on a link” that he shouldn’t have, and that SOMEHOW this action caused said employee’s “login credentials” to be compromised, i.e. given up to the attacker.

      Now, I ask you: Just what sort of absurdly ridiculously insecure browser hands over your “secure” login credentials when you just simply click on some “bad” link, nefarious or otherwise?

      There is clearly more to this story than the company told, or than Brian wrote. Did the idiot employee in question (a) have a seriously out-of-date and unpatched browser? Was he (b) running that on top of Windows XP? Or did he just (c) simply get redirected to a site that asked him for his login ID and password, and did he then foolishly enter those, without stopping to check if the site in question was one he even knew OR if it had a little padlock next to its URL in the browser’s location bar?

      The correct answer is most probably (c)… the baboon in question just got out-and-out phished, because he a moron, untrained or otherwise. If you had made the link in the PDF unclickable, he just would have cut and pasted that into a a new browser window and then he would have STILL gotten phished. Why? because he’s a dumb ass. (True fact: A staggering 49.999% of the population is of below-average intelligence.)

      Of course, the hilarious part of this whole story is that this specific dumbass is one of the people within this organization (FS-ISAC) that is supposed to be helping to keep our banks safe from cyberthreats. I mean Jesus! I know 14 years olds that are smart enough not to make this kind of mistake!

      It’s all enough to make one appreciate the value of a good old fashioned mattress…. you know… the kind you can tuck your money under for safekeeping. Given the story above, that looks like the safer bet to me. (See also: Wells Fargo. My mattress will never open an unauthorized account on my behalf, that’s for sure.)

      • Are you enjoying your view from your high horse?

        While you’re up there, you may want to do some research on why having a “little padlock”doesn’t mean anything with regards to the site you’re visiting being legitimate.

        If you’re going to distribute your wisdom, try a little more knowledge and a little less attitude. And don’t be too certain about which side of the average intelligence line you fall.

    • Thunderbird used to have Simple HTML [1] which was a pretty good compromise…

      [1] http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Viewing_Headers#Simple_HTML

  13. Why have we not moved to a Zero Trust email framework? Honestly, I can’t fathom why we continue down the path of allowing our weakest links to sink the ship.

  14. While reading the article and the email contained within, it dawned on me that there isn’t a better way to launch a phishing attack than to embed a malicious link within an email crafted to look like the one in the article. This takes the “Be On Your Guard” warning to a whole new level indeed.

  15. oh the irony hurts so much when it happens to you

  16. FS-ISAC’s response to the incident is what everyone shall follow in the future!

  17. The URL and sender reputation filtering features on the Cisco ESA would have caught this, as would an Exchange rule to block your own domain name when coming from the outside to the inside.

  18. This is totally inexcusable. If an organization is using O365 and data or financial security is required then MFA is an absolute necessity. NIST may or may not apply to them, but this is one of the many NIST requirements. This tells me that they were either IT security clueless or their IT department is either outsourced or inadequately funded or all of the above.

  19. wow. it’s like a police car getting carnapped in front of the police station.